Threat Intelligence Blog

What You Need To Know About Ransomware and Exploit Kits

By: Michael Perry

After a brief lull, ransomware infections appear to be on the rise again. In June, there was a spike in Crypt-based infections, and security experts estimate one million systems have already been compromised.

Ransomware is malicious code (malware) designed to limit or block access to a computer system until a sum of money is paid. Once the ransom is delivered, the victim receives a decryption key that unlocks their files. Anecdotal evidence suggests that decryption keys might be dispatched if the ransom is paid on time, but there is not guarantee that you will regain access to your files once the ransom demands are met. Ransomware is delivered via exploit kits, also known as exploit packs, through the use of web-based vulnerabilities, so anyone with unpatched vulnerabilities on their system is at risk. Adobe and Java are two of the most common culprits, but there are many others. Exploit kits use malicious advertising (malvertising) to inject malicious or malware-laden advertisements into legitimate online advertising networks or webpages as a means to deliver malicious code – or payload.

Law enforcement authorities and many security experts generally discourage victims from giving in to demands for ransom fees, as this fuels potential economic gain – and perceived success – of such malicious activity. This is of small comfort to anyone whose system has been virtually kidnapped, or the many thousands of victims who’ve paid the ransom rather than risk losing their valuable files and potentially their businesses.

Origin and Status

According to the US Federal Bureau of Investigations, the first ransomware – CryptoLocker – originated in Russia. Derivatives of this ransomware have been identified in Russia and other former Soviet satellite states, but exploit kits can and have been developed in many countries, making it even harder to identify the true source of the crime based on IP address alone.

The proliferation of ransomware in 2014 and 2015 indicates a growing global trend for future malware monetization. Exploit kits such as Angler use infected websites to install ransomware on a host, putting millions of more people at risk for infection.

No solutions have been identified for recent iterations of this malware, and infections are likely to escalate as solutions are made public. Due to the growing variety of ransomware attack vectors, awareness and prevention are still the best remedies.

Attack Vectors

Victims can become infected through Flash-based malvertising hosted on infected websites. Alternatively, malware can arrive as spam email bearing attachments with malicious code (malspam). These attachments look legitimate, and can come in the form of resumes, shipping notices, utility bills, or other seemingly legitimate forums of communication. Attachment extensions are often varieties of compressed files (.zip) or graphic files (.svg).

If you are unsure if an unsolicited email is dangerous or not, check to see if it contains a terse message coupled with an unusual file extension, and call the sender to confirm its legitimacy. Carefully scrutinize unfamiliar attachments and scan them with antivirus software before opening; do not rely solely on mail server virus detection suits, as recent waves of malspam are specifically written to evade detection.

Symptoms of Infection

Infection often occurs when a user accesses an infected site or files from the spam email. Risk of data loss depends on the severity of the exploit kits or ransomware infection a victim’s machine, and systems infected with Crypt variants such as CryptoLocker, CryptoWall, or CryptoDefense face a more challenging recovery effort given the severity of the infection.

Each exploit kit or ransomware variant presents an infected user with a different message. However, the threat always appears with a countdown timer and a ransom request for physical or digital currency in order to obtain the decryption key. Without a decryption key, the files are likely unrecoverable.

Preventative Steps

Cybersecurity awareness training is one of the first steps you can take to keep corporate users safe on the network. Teach employees to avoid clicking on unsolicited links or pop ups, or opening unsolicited emails. Don’t click on links about salacious news stories, especially on social media, or from sources you don’t know. Even emails from friends or family may contain malicious links, as personal accounts are frequently targets for hackers. As with other security threats, it’s important to keep software, antivirus definitions, and operating systems up to date, and perform routine non-local, non-network backups. Enabling ad-blocking extensions in browsers can help prevent infections from malvertising. It goes without saying for most security professionals, but if there’s any doubt about a link, hover your mouse over it to find the read path before clicking it. If the link seems suspicious, it probably is!

Another important step is to actively monitor open source threat intelligence (OSINT) to learn more about attack patterns and threat actors, as well as which industries or companies are being targeted by ransomware, or if criminals are in the planning stages of a targeted attack against your business.

While these measures don’t guarantee 100 percent safety from ransomware, it’s better to be safe than sorry. Being aware of malicious threats and proactively safeguarding against them can only help you and your company from being compromised.

Cyveillance’s Special Investigations Unit conducts a variety of open source investigations for the intelligence community. For more information about the Special Investigations Unit, or to request an in-depth report on this top or related ones, contact us.